* Posts by MadAsHell

21 posts • joined 8 Nov 2019

That Salesforce outage: Global DNS downfall started by one engineer trying a quick fix

MadAsHell

Experience is the name that we give to our mistakes

Rather than firing the guy, a really smart employer would be able to 'encourage' said employee to sign Indenture papers (to the amount of the cost to SF of the outage/reputational damage), effectively tying said employee to the company for the rest of their life.

Said employee, now sadder, poorer and very much wiser, would be a voice of reason when some young script-kiddie, newly hired, says 'Oh, I'll fix that in a jiffy....'

Because mistakes are the only thing that we learn from, success hardly ever teaches us anything.

And smart employers should want employees who have *already* made all of the classic mistakes, and still remember how to avoid repeating them.

Deloitte settled HPE's Autonomy lawsuit for $45m back in 2016 and agreed to cooperate with US DoJ

MadAsHell

Bolsters the Lynch defence

The challenge for the plaintiff in this action is to show, on the balance of probability, that the defendant knowingly deceived them by false accounting. Their own world-class accountants produced a report saying don't buy this asset for this price, they don't have an admission of liability from the auditors of the asset, and the defendant is entitled to keep saying that 'my experts said the books were OK, but now I understand that they got this wrong, and your experts said don't buy it'.

I believe that the Secretary of State for for Housing recently stated in the House the old legal maxim 'caveat emptor'. Seems to apply here.

Of course an impartial bystander would wonder at the ego from the plaintiff of spending another $8M in legal fees in a vindictive attempt to draw attention away from their own arrogance, greed and stupidity.

If this is how they run their company, their shareholders should wonder about the safety of their shareholdings. It can't possibly meet the fiduciary duty to the shareholders to continue this case - legally the defendant is nearly a man-of-straw - as there is no hope of getting any of their $8BN back. We used to call this playground spitefulness. And it's not how grown-ups should run a public company.

Pop quiz: You've got a roomful of electrical equipment. How do you put out a fire?

MadAsHell

Fire suppression and high-value electronics

20+ years ago I worked for a niche energy company: their large, critical mainframe installation was housed in a new build, old-factory style building (series of roof ridges, high ceiling) in attractive red-brick. Far too big to be able to afford the halon (and in any case now, it's very difficult to find any non-CO2 material that will be licensed - many existing installations may no longer legally be refilled if discharged), and impossible to displace enough O2 quickly enough with a CO2 system to be effective. Any effective CO2 flood system would literally blow everyone off their feet - and how to avoid imploding their ear-drums?

Their solution: VESDA that triggered a 10s delay, followed by total electrical power disconnection, then another delay of about 10s, followed by water sprinkler from a dry-riser system. It's usually *fairly* easy to dry out circuit boards that have been soaked in clean water, with minimal losses.

Except that the VESDA was *so* sensitive that you were NOT allowed to lift floor tiles without disabling the VESDA first - enough dust trapped in amongst the cables to trigger the alarm=>cries of anguish all round. It happened once, but the visiting engineer's foolishness was stopped by a very smart colleague who got to the disable button before the water started. Took a while to restart everything after the crash power loss though...

Well, on the bright side, the SolarWinds Sunburst attack will spur the cybersecurity field to evolve all over again

MadAsHell

Re: Broken security model

I agree. The irony is that the UK NCC position on network security in the early 1990s was that any network where you can't see all of the endpoints all of the time should be regarded as Untrusted.

There is little new under the sun in our world, we just have to keep re-learning the same lessons, albeit in a different guise.

45 million medical scans from hospitals all over the world left exposed online for anyone to view – some servers were laced with malware

MadAsHell

Security model is upside down so they can't implement SSO

There are some interesting and valid comments here. Yes, the number of logins required to pull together all of the imaging for a given patient can be a real PITA, hence why busy docs in overloaded clinics hate the login process. Answer, you say, a SSO.

But since the idiots in DoH/DHSC (and HMRC) went 'digital' they've turned the security model upside down. Back in the day, your medical notes and silver-based imaging were physical, tangible entities. Difficult to find (because no-one in the DoH had heard of barcodes in the 1990s, except us) but impossible to snoop. No idle trawling through some remote DB, thinking 'I wonder if Matt Hancock's syphilis test result is back yet?' Same with tax records: it was policy that your tax office was the other end of the country to where you worked and lived. No social engineering there either.

Skip forward and *all* tax records are on a single system and every HMRC call centre operative can pull up John Smith's tax records. Except that HMRC realised this might be an issue: there's an entirely separate tax record system for MPs/celebs and VIPs! No browsing through the declared tax from the nomenclatura/friends of Gov with their snouts in the PPE trough.

But in Health Care, ALL records are on line, belonging to each Trust. So imagine the impact of a single-sign-on solution across the NHS. Any GP's receptionist could idly trawl through anyone's health care records. Given how many warranted coppers and civilian workers are disciplined or fired each year for inappropriate access to the PNC (hint: El Reg article 11th Nov 2019 - about 1 every 3 days), imagine the leaks from all of those juicy WAGS and COVIDiot browsing sessions.

Shudder!

Marine archaeologists catch a break on the bottom of the Baltic Sea: A 75-year-old Enigma Machine

MadAsHell

Re: Old typewriter

Lack of articles on crypto efforts against British WWII ciphers: easy. Too embarrassing. It's one of the great unsung scandals of WWII crypto in the UK that while we realised the value of breaking Enigma (and later Lorenz), we completely failed to understand the linkage between U-boat successes (esp. in N Atlantic convoys) and German breaking of UK Admiralty Naval ciphers.

Typex was never broken, but we didn't put Typex on board ship.

We lost a lot of good men, material and ships due to this massive blind spot.

US Supreme Court Justice flames lower courts for giving 'sweeping immunity' to Facebook, YouTube, etc when it comes to harmful content

MadAsHell

Prospective over-ruling

IIRC, the UK House of Lords, in the obiter for Siddaway, gave warning that, given the same facts in a later case, they would deliver the contrary judgment. I think it was called prospective over-ruling. Give the legally correct judgement now, but warn that the current interpretation of the law (consent and the degree of informing that lead to that consent) was no longer good enough and that it would be effectively reversed in the future, creating a new binding precedent.

It's often better than ham-fisted drafting by legislators (e.g. 1967 Theft Act, really badly drafted, didn't cover so-called joy-riding => hence new offence TWOC).

Lift us up where we belong: UK's Network Rail puts elevators online

MadAsHell

So much cheaper and easier than actually making them all work...

Sigh! What a great dodge to avoid the tedious effort of actually making them work. But PPM is sooooo expensive...

After ten years, the Google vs Oracle API copyright mega-battle finally hit the Supreme Court – and we listened in

MadAsHell

IBM BIOS replication

I'm puzzled why little or none of the coverage of this case seems to mention the IBM PC and BIOS replication (pardon me if I've missed this).

IBM's legal/IP team were shocked at how quickly 'clones' of the PC BIOS appeared. Those developed by the two team clean-room approach were never hit with legal claims as it was obvious to IBM that the APIs had been reproduced in a fair-use/reverse-engineering approach which didn't infringe on their rights, no matter how much it annoyed IBM.

They say in Press Training never to accept the premise of the question: the Supremes are being asked to choose between *all* of Oracle's claims and *all* of Google's. When all the options are equally unacceptable, start looking for more options.

And the middle road here appears to be, protect the IP of the code that makes something work, while ruling that APIs, whether documented or not, cannot be protected by copyright.

A lot of the excellent comments going before cover patents and copyright and their differences. Copyright is actually a poor model for software (easy to obtain copyright protection, lasts - these days - nearly for ever or as long as Disney want, it's free to obtain, doesn't need to be renewed annually, and protections are massive), while patents are extremely expensive to obtain, have to be renewed annually, and each one only applies to a specific jurisdiction - and they last typically 12-16years and then that's it. Good, basic patents really do reflect the work that went into their creation - the patent protecting the Fritz-Haber process for Ammonia production from nitrogen was perfect - covered all methods without revealing the trade secrets of pressure and temperature that had been so expensively determined by theory and experimentation. Most patents these days are Secondary - e.g. patent covering CDs. No-one had thought to use optical phase-contrast to store digital information before, so it was novel.

Former BT CEO to lead task force that will advise UK.gov on diversifying the nation's telecoms supply chain

MadAsHell

What has Amy Karan been smoking?

Failure of Capitalism my a***. Capitalism/Free Market has done *exactly* what it should have, and Directors of public companies have a legal duty to maximise value for their shareholders.

Very clearly - as others have noted - a failure by Governments to manage the risks in their supply chain. Just like UK DHSC and PPE...

UK.gov announces review – not proper inquiry – into Fujitsu and Post Office's Horizon IT scandal

MadAsHell

Re: Well that's a relief

Agreed. Time some folk from Fujitsu who gave evidence under oath faced Perjury charges.

Don't trust deep-learning algos to touch up medical scans: Boffins warn 'highly unstable' tech leads to bad diagnoses

MadAsHell

Re: Human vetting

Key here is invisible-at-first decision support. Let the humans do their assessment and then show them the machine's verdict, possibly reducing the number of false-negatives (generally a good thing, but that's debatable too, e.g. DCIS for Breast Cancer).

Years ago I used to mark undergrad essays for Medical Faculty - strict two marker system, and second marker was not allowed to see first marker's grades. Any papers differing by more than <x> percent had to be remarked - by both IIRC. That's a sensible basis of QA.

This isn't the first time ProcNatAcadSci (PNAS as they are now) has alerted the world to software issues affecting medical imaging data: see https://www.pnas.org/content/113/28/7900.full. Even the raw data from fMRI is transformed so much before any human can see it, that there is already plenty of potential for garbage in some cases. Applying dodgy neural network AI to the first-pass images is like feeding noise into a positive-feedback loop. It works, but the sound ain't pretty.

O2 be a fly on the wall during BT and Vodafone's video calls: Telefónica's UK biz, Virgin Media officially merge

MadAsHell

Re: Cellnet

BT *always* regretted selling off Cellnet - they knew that it was a mistake at the time, but they were forced into it by a desperate need for cash to address their debt mountain, and it was the only thing that they could sell that was worth enough to make a difference.

Looming ventilator shortage amid pandemic sparks rise of open-source DIY medical kit. Good thinking – but safe?

MadAsHell

More ventilators can be made very quickly

Back in the '80s and '90s there was a completely acrylic, power-free simple gas-pressure powered ventilator that was commonly used in field hospitals. Simple time-cycled, pressure-limited ventilation, suitable for folk who can't breath adequately on their own. No mains, no batteries. Any company with expertise in injection moulded plastic could make hundreds of these per day. There are a couple of specialist valves that would need to be bought in, but apart from that, easy to mass produce. Perfect for Dyson.

Patients with more difficult ventilation requirements would be moved on to the clever electronic ventilators that hospitals already have, and it would be easy to train retired nurses and doctors to monitor the patients on the simple ventilators, while the experts worked on the seriously ill patients.

During the 1950 polio epidemics, when hundreds of patients with paralysed chests needed assisted ventilation, medical students hand-ventilated patients in hospital corridors rather than let them just die.

We know what to do, we just have to sweep away the objections and obstacles.

Corporate VPN huffing and puffing while everyone works from home over COVID-19? You're not alone, admins

MadAsHell

Split-tunnelling? Security madness, surely?

Is enabling split tunnelling really such a good idea? Doesn't that make each user's remote laptop capable of being a router from nasty Internet to clean Corporate network?

Sorry to be blunt about this... Open AWS S3 storage bucket just made 30,000 potheads' privacy go up in smoke

MadAsHell

But the weed smokers won't care, will they! Too high to care.

We won't CU later: New Ofcom broadband proposals mull killing off old copper network

MadAsHell

Re: Cancelled my BT account

Sadly it won't with the tiny minds at Ofcom and the National Infrastructure crew in charge. We've wasted nearly £1BN on rural broadband so far with almost nothing to show for it.

MadAsHell

Re: Got my new FTTP connection yesterday

And you propose to do *what* with this much bandwidth? Run your own website? And when the power fails or the link fails what then? That co-lo starts to look quite smart.

It's just like the speedo on my wife's car - 220kph max. Useless.

MadAsHell

There's no benefit in the cost-benefit analysis to retire the entire copper network. The cost to every household that still has some form of POTS will be astronomical - for what? Another telephone that doesn't work when the wind doesn't blow (i.e. our crappy electricity generation which all ultimately depends on the sun) fails?

This is the usual central-minds 'let's have one single solution for every problem' approach. There are several problems that need to be fixed and a one-size-fits all won't work - but that won't stop them.

Rural broadband provision won't be helped by this, it won't provide more space in ducts and poles, it won't provide cheaper bandwidth and it won't work when the 'leccy fails. Apart from that it will all be wonderful, 'cos it's new technology, 'innit?

You only have to look at the huge costs of the Irish Rural Broadband project - which as the name suggests is only intended to cover non-urban areas - to see just how much money is required to lay this much fibre and actually make it work. No-one knows how expensive it will be to maintain, but damage to rural cables will be frequent as culverts and gulleys are cleared to prevent flooding.

It's the high-tech hangup all over again.

Morrisons tells top court it's not liable for staffer who nicked payroll data of 100,000 employees

MadAsHell

Re: Depends if decent efforts at data security made by Morrisons

Quis custodiet ipsos custodes? The Romans understood this question 2k years ago.

Just because you have to give someone God-mode access doesn't mean that you don't monitor and record their activity. Isn't that why we like the idea of always-on bodycams for USA Police?

It's a cop-out to throw your hands up in the air and say 'I don't know enough to control my admins'. And you should be held accountable and liable if that's what you've done.

MadAsHell

Employers MUST be liable for their employees

The whole point of vicarious liability was to provide some remedy for injury caused by a man-of-straw (the employee) - his employer, for whom he is an agent, has to accept the risk and then a) mitigate that risk, b) insure against it (if he has any sense).

By this logic the RCJ are absolutely liable for their cleaning staff who steal from judge's chambers! The employer has provided them with a go-anywhere pass (essential for the job) but has to take reasonable steps to ensure that they are honest and bears the responsibility if they steal during the course of their job. If they try to use the pass out of hours to gain access, the pass should be disabled, all accesses should be logged, and random audits done, which mitigates the risk. As the temptation and risk grows the steps required to ensure that staff are honest increase: exemption from the Rehabilitation of Offenders Act, a guarantor standing a bond, background checks etc. The RCJ are *not* liable if their employee assaults someone during the course of the job, or speeds in a car to and from the job. There's a line, which only Lady Hale has difficulty seeing.

If Morrisons escape liability for this then they can't be held liable for their warehouse staff driving a forklift truck into someone, or dropping a pallet onto a visitor, and even Lady H can see that would be a serious public policy mistake.

Just because no-one was punished for the loss/theft of the entire NI child benefit claimant list doesn't mean that DWP weren't liable for the damages when folk discover that their IDs have been cloned using the stolen data.

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2021